Effective enterprise security is about data, not devices

This is a contributed article byMike Schuricht, VP Product Management at Bitglass

In recent years, the use of mobile devices in the workplace has soared as organizations become aware of the benefits that flexible working practices can have on productivity, and in turn, on the bottom line. However, those same organizations are less keen to acknowledge the security risks associated with having so many vulnerable endpoints connecting to the cloud and corporate network. For most, the answer lies in a ‘trusted device’ security model, but as the mobile working revolution continues to grow apace, the cracks in this approach are becoming more and more apparent.

Trusted devices can’t always be trusted

Trusted devices are those with some basic protections and over which the organization has some kind of control. Often, these managed devices have software agents installed on them by IT to secure traffic to the corporate network and check for software updates. Where security checks are completed, trusted devices typically receive unfettered access to the corporate network, allowing users to retrieve the information they need to conduct their jobs from anywhere in the world.

Employees with trusted devices often have access to some of the most secure data in an enterprise. Indeed, many of the world’s largest banks and even government agencies rely on a trusted devices model. However, while the majority of today’s mobile platforms are much more secure than legacy platforms, all endpoints remain vulnerable to loss, theft, and cyber-attacks that target data rather than the device. With this in mind, organizations should be increasingly concerned about these emerging threats.

The MDM/MAM conundrum

In a bid to tackle the security issues described above, many organizations turn to Mobile Device Management (MDM) or Mobile Application Management (MAM). Both of these solutions work by installing agents on a mobile device for close monitoring and control. Once the agent is in place, security activities such as remote data wipes, PIN enforcement, and network restrictions can all be handled centrally.

Deployment of MDM software can be difficult. Managing installation of software across hundreds, or even thousands of devices is logistically very hard, as are the regular updates that are subsequently required. Furthermore, MDM/MAM raises several privacy issues, particularly if the device in question is a personal one, which is becoming increasingly common due to the rise of bring your own device (BYOD) initiatives. While the installation of an MDM/MAM agent allows IT to keep an eye on corporate data, it also means a user's private activity is proxied via the corporate network. A recent study into BYOD adoption found that just 44% of employees would accept MDM or MAM on their personal devices. In fact, many reject these solutions altogether and find workarounds if it’s forced upon them, often resulting in high-risk “shadow IT” – the use of unmanaged applications – and further risks to corporate data.

Effective security focuses on the data, not the device

The same study found that employees are far more willing to participate in BYOD initiatives if employers can only monitor corporate data, not personal data. Additionally, rather than being able to control every aspect of a device, IT access should be limited to devices and destinations deemed to be risky. This approach brings the best of both worlds; security for the organization and privacy for the user.

In order to achieve this happy medium, businesses should look towards more progressive, ‘agentless’ solutions. This relatively new approach to mobile security emphasizes the idea that it’s not the device but the data that needs protecting. Unlike MDM or MAM, agentless solutions don’t require an agent to be installed on the device in question and focus solely on monitoring/protecting corporate data traffic, meaning privacy for the user is maintained at all times. Furthermore, because there’s no agent to install, logistical IT headaches are completely eliminated.

The days of trusted device security models are numbered. Organizations are starting to realize that no matter how locked down a device is, the risk of data leakage can never be eliminated. Device security cannot be the cornerstone of an effective security solution. Switching focus to the data, rather than device helps to sidestep the major privacy and logistical issues associated with more invasive, device-based security tools, leading to a win-win for organizations and employees.